README
¶
Traefik GitHub OAuth Plugin
This is a fork of MuXiu1997 repository. This fork is mostly fixing some of the security concerns I wanted to address. This will be kept synced with the main repo.
This is a Traefik middleware plugin that allows users to authenticate using GitHub OAuth.
The plugin is intended to be used as a replacement for the BasicAuth middleware,
providing a more secure way for users to access protected routes.
Quick Start (Docker)
-
Create a GitHub OAuth App
- See: https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app
- Set the Authorization callback URL to
http://<traefik-github-oauth-server-host>/oauth/redirect
-
Run the Traefik GitHub OAuth server
docker run -d --name traefik-github-oauth-server \ --network <traefik-proxy-network> \ -e 'GITHUB_OAUTH_CLIENT_ID=<client-id>' \ -e 'GITHUB_OAUTH_CLIENT_SECRET=<client-secret>' \ -e 'API_BASE_URL=http://<traefik-github-oauth-server-host>' \ -l 'traefik.http.services.traefik-github-oauth-server.loadbalancer.server.port=80' \ -l 'traefik.http.routers.traefik-github-oauth-server.rule=Host(`<traefik-github-oauth-server-host>`)' \ luizfonseca/traefik-github-oauth-server -
Install the Traefik GitHub OAuth plugin
Add this snippet in the Traefik Static configuration
experimental: plugins: github-oauth: moduleName: "github.com/luizfonseca/traefik-github-oauth-plugin" version: <version> -
Run your App
docker run -d --whoami test \ --network <traefik-proxy-network> \ --label 'traefik.http.middlewares.whoami-github-oauth.plugin.github-oauth.apiBaseUrl=http://traefik-github-oauth-server' \ --label 'traefik.http.middlewares.whoami-github-oauth.plugin.github-oauth.whitelist.logins[0]=luizfonseca' \ --label 'traefik.http.middlewares.whoami-github-oauth.plugin.github-oauth.whitelist.teams[0]=827726' \ --label 'traefik.http.routers.whoami.rule=Host(`whoami.example.com`)' \ --label 'traefik.http.routers.whoami.middlewares=whoami-github-oauth' \ traefik/whoami
Configuration
Server configuration
| Environment Variable | Description | Default | Required |
|---|---|---|---|
GITHUB_OAUTH_CLIENT_ID |
The GitHub OAuth App client id | Yes | |
GITHUB_OAUTH_CLIENT_SECRET |
The GitHub OAuth App client secret | Yes | |
GITHUB_OAUTH_SCOPES |
Additional scopes to be added to the Oauth workflow. | No | |
API_BASE_URL |
The base URL of the Traefik GitHub OAuth server | Yes | |
API_SECRET_KEY |
The api secret key. You can ignore this if you are using the internal network | No | |
SERVER_ADDRESS |
The server address | :80 |
No |
DEBUG_MODE |
Enable debug mode and set log level to debug | false |
No |
LOG_LEVEL |
The log level, Available values: debug, info, warn, error | info |
No |
Middleware Configuration
# The base URL of the Traefik GitHub OAuth server
apiBaseUrl: http://<traefik-github-oauth-server-host>
# The api secret key. You can ignore this if you are using the internal network
apiSecretKey: optional_secret_key_if_not_on_the_internal_network
# The path to redirect to after the user has authenticated, defaults to /_auth
# Note: This path is not GitHub OAuth App's Authorization callback URL
authPath: /_auth
# optional jwt secret key, if not set, the plugin will generate a random key
jwtSecretKey: optional_secret_key
# The log level, defaults to info
# Available values: debug, info, warn, error
logLevel: info
# whitelist
whitelist:
# The list of GitHub user ids that are whitelisted to access the resources
ids:
- 996
# The list of GitHub user logins that are whitelisted to access the resources
logins:
- luizfonseca
# The list of Github Teams that are whitelisted to access the resources
teams:
- 988772
OAuth Configuration
For the OAuth configuration, you need to create a GitHub OAuth App.
You can follow the steps in the GitHub documentation to create it and obtain the GITHUB_OAUTH_CLIENT_ID and GITHUB_OAUTH_CLIENT_SECRET values.
OAuth Scopes
- For
idsandloginsyou don't need extra scopes. - For
teamsyou might need to request theread:orgscope from the user. See the documentation.- You can do so by updating the
GITHUB_OAUTH_SCOPESenvironment variable with the desired additional scopes, e.g.GITHUB_OAUTH_SCOPES="read:org"via the Server Configuration.
- You can do so by updating the
License
Documentation
¶
Index ¶
Constants ¶
View Source
const (
DefaultConfigAuthPath = "/_auth"
)
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Config ¶
type Config struct {
ApiBaseUrl string `json:"api_base_url,omitempty"`
ApiSecretKey string `json:"api_secret_key,omitempty"`
AuthPath string `json:"auth_path,omitempty"`
JwtSecretKey string `json:"jwt_secret_key,omitempty"`
LogLevel string `json:"log_level,omitempty"`
Whitelist ConfigWhitelist `json:"whitelist,omitempty"`
}
Config the middleware configuration.
func CreateConfig ¶
func CreateConfig() *Config
CreateConfig creates the default middleware configuration.
type ConfigWhitelist ¶
type ConfigWhitelist struct {
TwoFactorAuthRequired string `json:"two_factor_auth_required,omitempty"`
// Ids the GitHub user id list.
Ids []string `json:"ids,omitempty"`
// Logins the GitHub user login list.
Logins []string `json:"logins,omitempty"`
// Team IDs that the user must be a member of
Teams []string `json:"teams,omitempty"`
}
ConfigWhitelist the middleware configuration whitelist.
type TraefikGithubOauthMiddleware ¶
type TraefikGithubOauthMiddleware struct {
// contains filtered or unexported fields
}
TraefikGithubOauthMiddleware the middleware.
func (*TraefikGithubOauthMiddleware) ServeHTTP ¶
func (tg *TraefikGithubOauthMiddleware) ServeHTTP(rw http.ResponseWriter, req *http.Request)
ServeHTTP implements http.Handler.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.